Holzinger, Philipp ; Hermann, Ben ; Lerch, Johannes ; Bodden, Eric ; Mezini, Mira (2017)
Hardening Java's Access Control by Abolishing Implicit Privilege Elevation.
San Jose, CA, USA
Konferenzveröffentlichung, Bibliographie
Kurzbeschreibung (Abstract)
While the Java runtime is installed on billions of devices and servers worldwide, it remains a primary attack vector for online criminals. As recent studies show, the majority of all exploited Java vulnerabilities comprise incorrect or insufficient implementations of access-control checks. This paper for the first time studies the problem in depth. As we find, attacks are enabled by shortcuts that short-circuit Java's general principle of stack-based access control. These shortcuts, originally introduced for ease of use and to improve performance, cause Java to elevate the privileges of code implicitly. As we show, this creates many pitfalls for software maintenance, making it all too easy for maintainers of the runtime to introduce blatant confused-deputy vulnerabilities even by just applying normally semantics-preserving refactorings. How can this problem be solved? Can one implement Java's access control without shortcuts, and if so, does this implementation remain usable and efficient? To answer those questions, we conducted a tool-assisted adaptation of the Java Class Library (JCL), avoiding (most) shortcuts and therefore moving to a fully explicit model of privilege elevation. As we show, the proposed changes significantly harden the JCL against attacks: they effectively hinder the introduction of new confused-deputy vulnerabilities in future library versions, and successfully restrict the capabilities of attackers when exploiting certain existing vulnerabilities. We discuss usability considerations, and through a set of large-scale experiments show that with current JVM technology such a faithful implementation of stack-based access control induces no observable performance loss.
| Typ des Eintrags: | Konferenzveröffentlichung |
|---|---|
| Erschienen: | 2017 |
| Autor(en): | Holzinger, Philipp ; Hermann, Ben ; Lerch, Johannes ; Bodden, Eric ; Mezini, Mira |
| Art des Eintrags: | Bibliographie |
| Titel: | Hardening Java's Access Control by Abolishing Implicit Privilege Elevation |
| Sprache: | Englisch |
| Publikationsjahr: | Mai 2017 |
| Verlag: | Curran Associates, Inc |
| Buchtitel: | 2017 IEEE Symposium on Security and Privacy (SP 2017) |
| Band einer Reihe: | 2 |
| Veranstaltungsort: | San Jose, CA, USA |
| Kurzbeschreibung (Abstract): | While the Java runtime is installed on billions of devices and servers worldwide, it remains a primary attack vector for online criminals. As recent studies show, the majority of all exploited Java vulnerabilities comprise incorrect or insufficient implementations of access-control checks. This paper for the first time studies the problem in depth. As we find, attacks are enabled by shortcuts that short-circuit Java's general principle of stack-based access control. These shortcuts, originally introduced for ease of use and to improve performance, cause Java to elevate the privileges of code implicitly. As we show, this creates many pitfalls for software maintenance, making it all too easy for maintainers of the runtime to introduce blatant confused-deputy vulnerabilities even by just applying normally semantics-preserving refactorings. How can this problem be solved? Can one implement Java's access control without shortcuts, and if so, does this implementation remain usable and efficient? To answer those questions, we conducted a tool-assisted adaptation of the Java Class Library (JCL), avoiding (most) shortcuts and therefore moving to a fully explicit model of privilege elevation. As we show, the proposed changes significantly harden the JCL against attacks: they effectively hinder the introduction of new confused-deputy vulnerabilities in future library versions, and successfully restrict the capabilities of attackers when exploiting certain existing vulnerabilities. We discuss usability considerations, and through a set of large-scale experiments show that with current JVM technology such a faithful implementation of stack-based access control induces no observable performance loss. |
| ID-Nummer: | TUD-CS-2017-0217 |
| Fachbereich(e)/-gebiet(e): | Profilbereiche Profilbereiche > Cybersicherheit (CYSEC) |
| Hinterlegungsdatum: | 07 Aug 2017 15:00 |
| Letzte Änderung: | 22 Jan 2019 10:13 |
| PPN: | |
| Export: | |
| Suche nach Titel in: | TUfind oder in Google |
 |
Frage zum Eintrag |
Optionen (nur für Redakteure)
 |
Redaktionelle Details anzeigen |
Drucken
Impressum